Server-side Request Forgery (SSRF) Affecting activitypub_federation package, versions <0.5.10


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUST-ACTIVITYPUBFEDERATION-8708049
  • published11 Feb 2025
  • disclosed10 Feb 2025
  • creditNatann (nnfrog)

Introduced: 10 Feb 2025

CVE NOT AVAILABLE CWE-918  (opens in a new tab)

How to fix?

Upgrade activitypub_federation to version 0.5.10 or higher.

Overview

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the verify_url_valid, which allows a user to bypass predefined hardcoded URL paths and security mechanisms designed to prevent Localhost access, enabling arbitrary GET requests to any host, port, and URL via a Webfinger request.

CVSS Base Scores

version 4.0
version 3.1